Uploaded image for project: 'Maven Shared Components'
  1. Maven Shared Components
  2. MSHARED-297

Commandline class shell injection vulnerabilities

    XMLWordPrintableJSON

Details

    Description

      The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

      The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with '"'"' used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.

      An appropriate fix has been built and applied against PLXUTILS; that patch is submitted here in the hope that it will be useful, though it is not expected to apply to the maven-shared-utils codebase without modification.

      See PLXUTILS-161 for history/discussion.

      Attachments

        1. use-no-shell-r2.patch
          21 kB
          Charles Duffy

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MSHARED-431 # (Hash-Sign) should trigger quoting in BourneShell.java

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #40

          Activity

            People

              slachiewicz Sylwester Lachiewicz
              charles@dyfis.net Charles Duffy
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: